OpenSSL Security Advisory [29-Nov-2007]
OpenSSL FIPS Object Module Vulnerabilities
------------------------------------------
A significant flaw in the PRNG implementation for the OpenSSL FIPS Object
Module v1.1.1 (https://www.openssl.org/source/openssl-fips-1.1.1.tar.gz, FIPS
140-2 validation certificate #733,
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#733) has
been reported by Geoff Lowe of Secure Computing Corporation. Due to a coding
error in the FIPS self-test the auto-seeding never takes place. That means
that the PRNG key and seed used correspond to the last self-test. The FIPS
PRNG gets additional seed data only from date-time information, so the
generated random data is far more predictable than it should be, especially
for the first few calls.
This vulnerability is tracked as CVE-2007-5502.
Versions Affected
-----------------
OpenSSL FIPS Object Module v1.1.1 only. Only those applications using this
specific version of the OpenSSL FIPS Object Module which enter FIPS mode are
affected. Applications which do not enter FIPS mode or which use any other
version of OpenSSL are not affected. The OpenSSL FIPS Object Module v1.2 now
undergoing validation testing is not affected.
Recommendations
---------------
Wait for official approval of a patched distribution.
For reference purposes the patches
https://www.openssl.org/news/patch-CVE-2007-5502-1.txt
(the simplest direct fix) and:
https://www.openssl.org/news/patch-CVE-2007-5502-2.txt
(a workaround which avoids touching the PRNG code directly) demonstrate two
different fixes that independently address the vulnerability. However, for
FIPS 140-2 validated software no changes are permitted without prior official
approval so these patches cannot be applied to the v1.1.1 distribution for
the purposes of producing a validated module.
The vendor of record for the FIPS validation, the Open Source Software
Institute (OSSI), has supplied the information needed for a "letter change"
update request based on the latter of these two patches to the FIPS 140-2
test lab to be submitted for official approval. Once (and if) approved the
new distribution containing this patch will be posted as
https://www.openssl.org/source/openssl-fips-1.1.2.tar.gz. The timeline for this
approval is presently unknown.